And I'd far rather do it in software than with the alleged "red-eye reduction" mode on my camera's flash. I've turned it off ever since the first picture I ever took with "red-eye reduction". It reduced red-eye alright; everyone closed their eyes on the first firing of the flash, so I got a picture of four sysadmins drinking beer with their eyes closed.
I don't know if my newer cameras are any better--I've never used red-eye reduction on them. But I'd rather fix red-eye on the computer than screw up the rest of the picture in the field.
Heck, Red Steel was featured in the launch ads for the Wii. It may not be the greatest game, but when the guy says "All right, get a gun" and the player starts shooting people, well, I think that's pretty violent.
Maybe that's just 'cause I think shooting people is violent.
HSBC Direct Canada bloody uses them. And you're limited to answers LONGER than 8 characters. And you can't have a space.
And all my hobbies have spaces in them OR are shorter than 8 characters, same with car, same with city, same with mother's maiden name, same with school name, and so on.
So I added more "masked" columns to my SpashID entry for that account and filled out more random gibberish.
78s are not vinyl, they're phenolic (Bakelite). Whether or not they have any warmth depends on whether you've been able to find the right equalizer settings for that particular record. EQs weren't standardized until the RIAA curve for vinyl LPs came out; 78s were all over the map.
Plus, they were expected to be played with steel needles on mechanical gramophones. Lots of tin, not much warmth.
I have listened to a record on a high-quality turntable with a good amplifer and good speakers. I'll take a non-companded CD from the early-to-mid-90s (before the Loudness Wars) over the vinyl disc any day. Just make sure my amp has either FETs or tubes in the power stage; they work the same way.
FLEXlm runs on more than just UNIX, and can be run as either a single node or a set of three for redundancy (and load-share, IIRC). And you can load multiple vendor daemons into the same FLEXlm server daemon. (And I think I mean FLEXnet and not FLEXlm 'cause the bastards at Macrovision renamed it to leverage their value-add proposition on a diverse networkological paradigm in a going-forward... never mind.)
It has the advantage that most UNIX admins who have dealt with it will know how to deal with it for other products that use it. It has a massive _disadvantage_ that the vendor must provide a daemon for you. So we can't move our licenses from Solaris to Linux because Sun doesn't have a daemon for their old compiler (that we use for our old product when someone waves a really large cheque and wants a patch). Same with other licenses for either "we don't do Linux" or "we've gone bankrupt".
It's still a pain in the ass, but it's a known and predictable pain.
Oh, and I've never bothered getting the 3-node redundant thing working. That would require, oh, a budget and room for the extra 2 machines....
There's a sci-fi dystopia novel (Noir, K.W. Jeter) about a future where copyright has been extended past its current insane bounds. The media companies had been working on TINC (Turd In A Can), but had dropped that as it actually required physical objects to be created. (Think cheap Chinese-sewn T-shirts with a $50 logo on it.)
The next iteration is TOAW (Turn On A Wire), delivered with end-to-end digital encryption and playback management, and you don't even need anything other than a cheap server sending out data. No physical manufacturing required! Just a slick ad campaign, and you're not allowed to talk about your experience with the media.
It may be annoying, but they have to stick with that stupid 8.3 naming thing for hysterical raisins. Things that read camera cards aren't required to understand FAT32....
Having multiple cameras, I gave up on the whole unique-number thing and have the camera re-set for each card. (Actually, what mine do, is they take "highest picture number on card +1" when you insert the card and count from there. Which is handy if you put the same card in multiple cameras.)
Why anyone would expect files in different folders to guaranteed to have different names is beyond me, though. I know of no system API or operating convention that would provide that.
How do the two different DSL providers get signal to your house? Here, the only company that can provide last-mile copper phone lines is Bell. Just like the only company that can provide last-mile copper cable lines is Roger's. So, no matter what, you're on one or the other company's wiring plants.
And the Ts&Cs at Roger's mean you can't operate any server. So that means just DSL providers.
So you can't escape Ma Bell. Unless you go Microwave or Satellite.
Watts are heat. Any watt that is consumed inside your house is eventually dissipated as heat. Sound makes thins vibrate which warms them up by friction. Light warms things up when it is absorbed. Thermal losses are, of course, the heat created when we're trying to do something useful. Anything rotating causes friction in the bearings, and in the air.
Find the average watts used, and you can calculate BTU/h equivalent. Once you have that, you can find your cooling load. Say, using my house, which consumes about 500W at baseline:
500W * 3.41 BTU/h/W = 1705 BTU/h
Given my central A/C is a small system, 1.5 tons, which is 18,000 BTU/h, that leaves... oooh... most of the unit's capacity for cooling the effects of the sun.
Once you know the cooling load, you can use the EER or SEER of your A/C to calculate the approximate power use.
So, my A/C has a SEER of 13 (I'm in Canada, 13 is plenty). SEER is BTU/W*h, so if we divide the cooling load by the SEER:
1705/13 = 131. W
So, that 500W adds another 131W of A/C. One could put that all together and come up with a percentage scale factor, like... oooh... I'd use 30% for my system. (Got to power the air handler inside also, after all.)
The way I handle this, at work and on my home server for friends, is to self-sign a certificate signing certificate. I can then give my users a way to download and verify that certificate separately from the web site.
Then, my web site presents a certificate signed with that signing certificate, just like you'd get from a regular CA. If you've loaded the certificate signing certificate into your browser or system certificate manager, then no more dialogues.
This has the additional advantage: I can issue client certificates and tell my server to accept all client certificates signed by my signing certificate. I'd need to get a signing certificate to do that with VeriSign or that lot, and that's getting seriously spendy.
But if all you're using https: for is data hiding, then it doesn't matter, does it?
Heck, I know many places to find a good apple pie around town. Or make one myself, it's not that difficult, and I've got a choice of recipes.
Finding a good orgy, on the other hand, is _hard_.
So even if I have more apple pie than orgies in a year, the searches will be the other way around. I'm not saying I do eat more pie than go to orgies, mind.
Unless you've got an implementation of something like NaturalOrder.
(Anyone remember a sorting problem when time_t increased by one digit and programs sorting timestamps alphabetically got the idea of "what's old" really, really wrong? Beware of the urge to treat numbers as text!)
Any circumstances where the OS has an "auto run" or "dig through the CD and find out what's on it" function.
Heck, even JPEGs have been used for attack vectors... there can be bugs in any decode program, so on no account should the OS do anything automatically to removable/hotpluggable media.
There are even DOS attacks you can do with mal-formed ISO9660 filesystems. I've kernel panicked big UNIX servers with bad CDs; back when mkisofs had more bugs and I didn't know how to use it....
Any time a computer trusts user-provided data to be correctly formed, you've got a problem.
I downloaded it, tried to run it on Red Hat Enterprise 4 and discovered you need the New Hotness from Red Hat Enterprise 5, and had to recover my ~/.mozilla/firefox directory from the NetApp.snapshot directory. (It wiped out all my cookies and settings. Not cool.)
I'm fundamentally not impressed with something that needs the bleeding edge of cairo, glib, gtk+ and all that rot. I actually have all that stuff compiled for Red Hat Enterprise 4 (not in my default paths, though), but damnit, don't we want the most possible users? Heck, they support an older version of Windows (XP)!
Oh yeah: Opera still seems happy on this version of RHEL....
I've seen highway ramps with stoplights at the beginning of them, so they can meter the flow of cars onto the highway. If people would actually allow space behind the car in front, those wouldn't be necessary, but basically they're so that people can merge. And they at least leave you with room to get up to speed so you really can merge. (Those are near the Ford plant in Oakville.)
What's really scary is traveling in Pennsylvania for the first time and finding yourself on a highway that doesn't have a merge lane. You get to the top of the ramp and there's a YIELD sign. You either get your timing bang spot on while you're on the ramp, or you're screwed. Heck, there were even some old-fashioned cloverleafs with the scary weaving lanes and everything!
Also, a lot of cruise controls have a fair amount of error in the set speed. Vacuum-operated ones are the worst, I've seen slop of 5 mph in the speed. I can get better accuracy than that with my right foot. (Of course, I'm in a manual: I can drive with a steady pitch from the engine and I'm at a steady speed. I'd probably be a real mess with one of those ECVT things.)
It does amaze me, though, at the number of people who don't seem to know you need more gas going up a hill.
Well, if you still make a bit-for-bit COPY of the bits that you CAN copy, all you've left out is the media keys for _decryption_. So, you've made a simple copy of 99.999% of the data on the disk.
The trick is, playing it back you have to actually break the encryption now. You can't use your player key plus the media key to decrypt.
You get paid for your time to write something useful for someone. Just like I do, I don't get royalties on any of the closed-source products at work, I just get paid for my time. Which does include some hacking on free software to suit our needs. And making sure that licenses are followed, and that GPL and similarly licensed code does not get combined with our proprietary code.
If no-one wants that program enough to pay someone to write it, then it gets done by people who want to have that program more than they want to be paid to write a different program. Or by people who just want to write software.
Or it doesn't get done.
Unlike commercial software, though, there isn't a whole bunch of marketing out to trick people into wanting the program. "Install this toolbar and we'll p0wn your Internet Explorer I mean give you an enhanced browsing experience!"
NFS still does assume UIDs are trustworthy. Keep in mind, Sun did NFS and NIS roughly together, and they use the same RPC mechanism. But it is very much a relic of the "trusted LAN" era. If you've got switches that allow arbitrary machines to connect, and DHCP servers that give arbitrary machines address information, NFS is probably not for you.
Even with root squash, there's still no security. That just means I need to switch to someone else's UID before I can read their files--and that's just a quick vi/etc/passwd away. Even easier if NIS is up, because I can get the entire passwd file from the NIS server.
The great thing about the various attempts to add security to NFS is, they don't work with everything. The only redeeming feature of NFS is that every UNIX-a-like can at least operate as an NFS client. If you now have to do PKI and token management, why not install a good distributed file system instead? Maybe something with aggressive-but-useful client-side caching with server invalidation?
We ran into this at work; particularly on a workstation that was being used as a Web server for ClearQuest (*shudder*). Anyway, Linux I/O just _sucked_ on it. Perusal of the boot messages showed it couldn't bind the SATA driver because the IDE driver was already bound at that PCI address; and the IDE driver wasn't happy with the hardware so was running in 16-bit PIO mode.
Flipping "SATA Support" from "Compatible" to "High Performance" in the BIOS got that fixed real fast. But I'll bet Windows XP won't install on that machine now. In fact, I'll bet they haven't even got SATA support for booting and installing XP SP3... if they ever re-fresh the CDs in retail channels.
(Windows gurus may know how to make new Windows CDs with more drivers. I only know how to do what it says in the retail box instructions.)
I was asking a 1000 Islands tour boat guide about the mussels a few years back. Apparently, all the boats on the St. Lawrence and eastern Lake Ontario have dealt with them in a very simple way: They don't like copper. So the boats all have copper pipes for their underwater inlets and outlets, and don't get clogged up.
Lining the concrete cooling water pipes on the Pickering plant with copper might be a bit pricey, of course.
Re:SSL Monopolies, SubCAs, PKI use, and supply/dem
on
Choosing an SSL Provider?
·
· Score: 5, Insightful
What you describe does work, though it gets annoying.
Basically, when your server negotiates SSL with the browser, it has to provide all the certificates in the trust chain that the browser doesn't have. So, bigISP.com has a certificate signing certificate from VeriSign, and signs a Web certificate for your company. Any time an SSL request comes in, your server has to present it's public certificate and the public certificate of bigISP.com's signing certificate. The browser already has VeriSign's public certificate signing certificate.
So, it's kind of like DNS resolution, where you have to "know" the root server, and then can build a chain down to get the actual name server to ask. But, in this case, you need a trust chain of signed certificates. With one or two layers, it's not _that_ big a deal...
The real downside is maintenance. Each layer has its own expiry, and you have to re-establish the chain whenever a certificate in it expires. That means new private certs and updating the public certs that are sent with the SSL transaction.
If, instead, your certificate is signed by a certificate for which there is a public key pre-loaded into the browser, you only have 1 certificate to update when it expires or when the signing certificate expires.
I use a self-signed certificate signing certificate for my home systems and for my department's SSL servers at work. But there's a very limited number of people who are supposed to access those servers, so they can be given the public signing certificate by hand. And even then, I wind up on vacation and unable to get to my IMAPS server because I forgot the signing certificate is going to expire on me....
So, keeping the chain short is actually worth-while, just from a maintenance perspective.
Retrospect works exactly like that. It uses a hash of the file to determine if it is already backed up, irrespective of the path name and other normal attributes. Then it just keeps a record of "this hash key goes to this path with these attributes".
Which is handy when you copy a bunch of stuff from one node to another; you don't choke your backup server with copies, but you can still re-create each machine from a Snapshot.
Obviously, users with different ID3 tags in what started out as the same file will still result in multiple copies....
Slashdot Mirror
And I'd far rather do it in software than with the alleged "red-eye reduction" mode on my camera's flash. I've turned it off ever since the first picture I ever took with "red-eye reduction". It reduced red-eye alright; everyone closed their eyes on the first firing of the flash, so I got a picture of four sysadmins drinking beer with their eyes closed.
I don't know if my newer cameras are any better--I've never used red-eye reduction on them. But I'd rather fix red-eye on the computer than screw up the rest of the picture in the field.
Heck, Red Steel was featured in the launch ads for the Wii. It may not be the greatest game, but when the guy says "All right, get a gun" and the player starts shooting people, well, I think that's pretty violent.
Maybe that's just 'cause I think shooting people is violent.
And a #1 reason to buy a video game.
HSBC Direct Canada bloody uses them. And you're limited to answers LONGER than 8 characters. And you can't have a space.
And all my hobbies have spaces in them OR are shorter than 8 characters, same with car, same with city, same with mother's maiden name, same with school name, and so on.
So I added more "masked" columns to my SpashID entry for that account and filled out more random gibberish.
78s are not vinyl, they're phenolic (Bakelite). Whether or not they have any warmth depends on whether you've been able to find the right equalizer settings for that particular record. EQs weren't standardized until the RIAA curve for vinyl LPs came out; 78s were all over the map.
Plus, they were expected to be played with steel needles on mechanical gramophones. Lots of tin, not much warmth.
I have listened to a record on a high-quality turntable with a good amplifer and good speakers. I'll take a non-companded CD from the early-to-mid-90s (before the Loudness Wars) over the vinyl disc any day. Just make sure my amp has either FETs or tubes in the power stage; they work the same way.
FLEXlm runs on more than just UNIX, and can be run as either a single node or a set of three for redundancy (and load-share, IIRC). And you can load multiple vendor daemons into the same FLEXlm server daemon. (And I think I mean FLEXnet and not FLEXlm 'cause the bastards at Macrovision renamed it to leverage their value-add proposition on a diverse networkological paradigm in a going-forward... never mind.)
It has the advantage that most UNIX admins who have dealt with it will know how to deal with it for other products that use it. It has a massive _disadvantage_ that the vendor must provide a daemon for you. So we can't move our licenses from Solaris to Linux because Sun doesn't have a daemon for their old compiler (that we use for our old product when someone waves a really large cheque and wants a patch). Same with other licenses for either "we don't do Linux" or "we've gone bankrupt".
It's still a pain in the ass, but it's a known and predictable pain.
Oh, and I've never bothered getting the 3-node redundant thing working. That would require, oh, a budget and room for the extra 2 machines....
There's a sci-fi dystopia novel (Noir, K.W. Jeter) about a future where copyright has been extended past its current insane bounds. The media companies had been working on TINC (Turd In A Can), but had dropped that as it actually required physical objects to be created. (Think cheap Chinese-sewn T-shirts with a $50 logo on it.)
The next iteration is TOAW (Turn On A Wire), delivered with end-to-end digital encryption and playback management, and you don't even need anything other than a cheap server sending out data. No physical manufacturing required! Just a slick ad campaign, and you're not allowed to talk about your experience with the media.
At least, it _says_ it's fiction on the cover.
It may be annoying, but they have to stick with that stupid 8.3 naming thing for hysterical raisins. Things that read camera cards aren't required to understand FAT32....
Having multiple cameras, I gave up on the whole unique-number thing and have the camera re-set for each card. (Actually, what mine do, is they take "highest picture number on card +1" when you insert the card and count from there. Which is handy if you put the same card in multiple cameras.)
Why anyone would expect files in different folders to guaranteed to have different names is beyond me, though. I know of no system API or operating convention that would provide that.
How do the two different DSL providers get signal to your house? Here, the only company that can provide last-mile copper phone lines is Bell. Just like the only company that can provide last-mile copper cable lines is Roger's. So, no matter what, you're on one or the other company's wiring plants.
And the Ts&Cs at Roger's mean you can't operate any server. So that means just DSL providers.
So you can't escape Ma Bell. Unless you go Microwave or Satellite.
Watts are heat. Any watt that is consumed inside your house is eventually dissipated as heat. Sound makes thins vibrate which warms them up by friction. Light warms things up when it is absorbed. Thermal losses are, of course, the heat created when we're trying to do something useful. Anything rotating causes friction in the bearings, and in the air.
Find the average watts used, and you can calculate BTU/h equivalent. Once you have that, you can find your cooling load. Say, using my house, which consumes about 500W at baseline:
500W * 3.41 BTU/h/W = 1705 BTU/h
Given my central A/C is a small system, 1.5 tons, which is 18,000 BTU/h, that leaves... oooh... most of the unit's capacity for cooling the effects of the sun.
(Wikipedia on BTU for conversion factor.)
Once you know the cooling load, you can use the EER or SEER of your A/C to calculate the approximate power use.
So, my A/C has a SEER of 13 (I'm in Canada, 13 is plenty). SEER is BTU/W*h, so if we divide the cooling load by the SEER:
1705/13 = 131. W
So, that 500W adds another 131W of A/C. One could put that all together and come up with a percentage scale factor, like... oooh... I'd use 30% for my system. (Got to power the air handler inside also, after all.)
(Wikipedia on SEER.)
Guess who knew exactly what he wanted before calling the heating & air conditioning contractor?
The way I handle this, at work and on my home server for friends, is to self-sign a certificate signing certificate. I can then give my users a way to download and verify that certificate separately from the web site.
Then, my web site presents a certificate signed with that signing certificate, just like you'd get from a regular CA. If you've loaded the certificate signing certificate into your browser or system certificate manager, then no more dialogues.
This has the additional advantage: I can issue client certificates and tell my server to accept all client certificates signed by my signing certificate. I'd need to get a signing certificate to do that with VeriSign or that lot, and that's getting seriously spendy.
But if all you're using https: for is data hiding, then it doesn't matter, does it?
Heck, I know many places to find a good apple pie around town. Or make one myself, it's not that difficult, and I've got a choice of recipes.
Finding a good orgy, on the other hand, is _hard_.
So even if I have more apple pie than orgies in a year, the searches will be the other way around. I'm not saying I do eat more pie than go to orgies, mind.
Y10K problem awaits!
Unless you've got an implementation of something like NaturalOrder.
(Anyone remember a sorting problem when time_t increased by one digit and programs sorting timestamps alphabetically got the idea of "what's old" really, really wrong? Beware of the urge to treat numbers as text!)
Any circumstances where the OS has an "auto run" or "dig through the CD and find out what's on it" function.
Heck, even JPEGs have been used for attack vectors... there can be bugs in any decode program, so on no account should the OS do anything automatically to removable/hotpluggable media.
There are even DOS attacks you can do with mal-formed ISO9660 filesystems. I've kernel panicked big UNIX servers with bad CDs; back when mkisofs had more bugs and I didn't know how to use it....
Any time a computer trusts user-provided data to be correctly formed, you've got a problem.
I downloaded it, tried to run it on Red Hat Enterprise 4 and discovered you need the New Hotness from Red Hat Enterprise 5, and had to recover my ~/.mozilla/firefox directory from the NetApp .snapshot directory. (It wiped out all my cookies and settings. Not cool.)
I'm fundamentally not impressed with something that needs the bleeding edge of cairo, glib, gtk+ and all that rot. I actually have all that stuff compiled for Red Hat Enterprise 4 (not in my default paths, though), but damnit, don't we want the most possible users? Heck, they support an older version of Windows (XP)!
Oh yeah: Opera still seems happy on this version of RHEL....
I've seen highway ramps with stoplights at the beginning of them, so they can meter the flow of cars onto the highway. If people would actually allow space behind the car in front, those wouldn't be necessary, but basically they're so that people can merge. And they at least leave you with room to get up to speed so you really can merge. (Those are near the Ford plant in Oakville.)
What's really scary is traveling in Pennsylvania for the first time and finding yourself on a highway that doesn't have a merge lane. You get to the top of the ramp and there's a YIELD sign. You either get your timing bang spot on while you're on the ramp, or you're screwed. Heck, there were even some old-fashioned cloverleafs with the scary weaving lanes and everything!
Also, a lot of cruise controls have a fair amount of error in the set speed. Vacuum-operated ones are the worst, I've seen slop of 5 mph in the speed. I can get better accuracy than that with my right foot. (Of course, I'm in a manual: I can drive with a steady pitch from the engine and I'm at a steady speed. I'd probably be a real mess with one of those ECVT things.)
It does amaze me, though, at the number of people who don't seem to know you need more gas going up a hill.
Congratulations, you just proved AOL is superior to all other ISPs.
"You are accused of heresy, in thought, word and deed! How do you plead?"
PC LOAD LETTER
Well, if you still make a bit-for-bit COPY of the bits that you CAN copy, all you've left out is the media keys for _decryption_. So, you've made a simple copy of 99.999% of the data on the disk.
The trick is, playing it back you have to actually break the encryption now. You can't use your player key plus the media key to decrypt.
Really, CSS is all about playback control.
You get paid for your time to write something useful for someone. Just like I do, I don't get royalties on any of the closed-source products at work, I just get paid for my time. Which does include some hacking on free software to suit our needs. And making sure that licenses are followed, and that GPL and similarly licensed code does not get combined with our proprietary code.
If no-one wants that program enough to pay someone to write it, then it gets done by people who want to have that program more than they want to be paid to write a different program. Or by people who just want to write software.
Or it doesn't get done.
Unlike commercial software, though, there isn't a whole bunch of marketing out to trick people into wanting the program. "Install this toolbar and we'll p0wn your Internet Explorer I mean give you an enhanced browsing experience!"
NFS still does assume UIDs are trustworthy. Keep in mind, Sun did NFS and NIS roughly together, and they use the same RPC mechanism. But it is very much a relic of the "trusted LAN" era. If you've got switches that allow arbitrary machines to connect, and DHCP servers that give arbitrary machines address information, NFS is probably not for you.
/etc/passwd away. Even easier if NIS is up, because I can get the entire passwd file from the NIS server.
Even with root squash, there's still no security. That just means I need to switch to someone else's UID before I can read their files--and that's just a quick vi
The great thing about the various attempts to add security to NFS is, they don't work with everything. The only redeeming feature of NFS is that every UNIX-a-like can at least operate as an NFS client. If you now have to do PKI and token management, why not install a good distributed file system instead? Maybe something with aggressive-but-useful client-side caching with server invalidation?
(Wanders off to play with OpenAFS some more....)
We ran into this at work; particularly on a workstation that was being used as a Web server for ClearQuest (*shudder*). Anyway, Linux I/O just _sucked_ on it. Perusal of the boot messages showed it couldn't bind the SATA driver because the IDE driver was already bound at that PCI address; and the IDE driver wasn't happy with the hardware so was running in 16-bit PIO mode.
Flipping "SATA Support" from "Compatible" to "High Performance" in the BIOS got that fixed real fast. But I'll bet Windows XP won't install on that machine now. In fact, I'll bet they haven't even got SATA support for booting and installing XP SP3... if they ever re-fresh the CDs in retail channels.
(Windows gurus may know how to make new Windows CDs with more drivers. I only know how to do what it says in the retail box instructions.)
I was asking a 1000 Islands tour boat guide about the mussels a few years back. Apparently, all the boats on the St. Lawrence and eastern Lake Ontario have dealt with them in a very simple way: They don't like copper. So the boats all have copper pipes for their underwater inlets and outlets, and don't get clogged up.
Lining the concrete cooling water pipes on the Pickering plant with copper might be a bit pricey, of course.
What you describe does work, though it gets annoying.
Basically, when your server negotiates SSL with the browser, it has to provide all the certificates in the trust chain that the browser doesn't have. So, bigISP.com has a certificate signing certificate from VeriSign, and signs a Web certificate for your company. Any time an SSL request comes in, your server has to present it's public certificate and the public certificate of bigISP.com's signing certificate. The browser already has VeriSign's public certificate signing certificate.
So, it's kind of like DNS resolution, where you have to "know" the root server, and then can build a chain down to get the actual name server to ask. But, in this case, you need a trust chain of signed certificates. With one or two layers, it's not _that_ big a deal...
The real downside is maintenance. Each layer has its own expiry, and you have to re-establish the chain whenever a certificate in it expires. That means new private certs and updating the public certs that are sent with the SSL transaction.
If, instead, your certificate is signed by a certificate for which there is a public key pre-loaded into the browser, you only have 1 certificate to update when it expires or when the signing certificate expires.
I use a self-signed certificate signing certificate for my home systems and for my department's SSL servers at work. But there's a very limited number of people who are supposed to access those servers, so they can be given the public signing certificate by hand. And even then, I wind up on vacation and unable to get to my IMAPS server because I forgot the signing certificate is going to expire on me....
So, keeping the chain short is actually worth-while, just from a maintenance perspective.
Retrospect works exactly like that. It uses a hash of the file to determine if it is already backed up, irrespective of the path name and other normal attributes. Then it just keeps a record of "this hash key goes to this path with these attributes".
Which is handy when you copy a bunch of stuff from one node to another; you don't choke your backup server with copies, but you can still re-create each machine from a Snapshot.
Obviously, users with different ID3 tags in what started out as the same file will still result in multiple copies....